Author Topic: customize ipsec weak cipher sets (Read 112 times)

m256 · « **on:** November 17, 2024, 11:51:49 am »

Hello,
I need to temporarily make an ipsec connection to some old tp-link router which supports just weak cipher sets nothing more secure than AES128-SHA1-DH5.
I know it is not available in GUI for good reasons and the support has been removed, but what if i manually edit some conf files (ipsec.conf, swanctl.con) etc.?
Is adding charon { proposals = 3des-sha1-modp1536 } gonna do something?
What about editing conf backup and adding 3des-sha1-modp1536 to tunnel proposals?
Thanks!

Monviech (Cedrik) · « **Reply #1 on:** November 17, 2024, 12:20:13 pm »

https://docs.opnsense.org/manual/vpnet.html

Check out the custom configuration section for ipsec.

You can do anything in here that strongswan supports.

m256 · « **Reply #2 on:** November 17, 2024, 01:25:14 pm »

Thank you. Seems like i was on the right track.
So to get insecure ciphers for ipsec my friend can:
1) add custom.conf with
charon {
proposals = 3des-sha1-modp1536, aes128-sha1-modp1536
}

2) edit backup-config.xml and set this to connection node of the tunnel
<proposals>default,3des-sha1-modp1536, aes128-sha1-modp1536</proposals>

3) restore modded backup file

Correct?
Thanks!

Monviech (Cedrik) · « **Reply #3 on:** November 17, 2024, 01:28:14 pm »

I would set the whole custom tunnel in that custom configuration file.

I would not edit the config.xml or restore a tampered backup.

Author Topic: customize ipsec weak cipher sets (Read 112 times)

m256

customize ipsec weak cipher sets

Monviech (Cedrik)

Re: customize ipsec weak cipher sets

m256

Re: customize ipsec weak cipher sets

Monviech (Cedrik)

Re: customize ipsec weak cipher sets